sign in sign up
<<
Home , Security management

INTERNATIONAL SCIENTIFIC JOURNAL "SCIENCE. . SOCIETY" WEB ISSN 2534-8485; PRINT ISSN 2367-8380 EXAMPLE OF SYSTEM OF THE – COMPONENTS AND CONCEPTS

ПРИМЕР НА СИСТЕМА ЗА УПРАВЛЕНИЕ НА СИГУРНОСТТА НА ОРГАНИЗАЦИЯТА – КОМПОНЕНТИ И КОНЦЕПИИ

Dr. Eng. Dimitrov D.L., Dr. Eng. Panevski V.S., Nikolov G.M. Institute of Metal Science Equipment and Technologies “Acad. A Balevski” with Hydroaerodynamics Centre - Bulgarian Academy of Sciences, Sofia, Bulgaria E-mail: [email protected]; [email protected]; [email protected]

Abstract: Issues related to security are intertwined in all areas of the life of an organization. Many of them are considered and documented organizational and provided within the respective area/subsystem of the management system of the organization. For example, information security management is detailed and reliably described in the international standards. And this is natural, considering the importance of this type of security and the fact that information technology lie at the core of almost all . In the meantime however, it is necessary to go a long way to reach the ultimate goal of improving security of the organizations by developing integrated management systems for business security. A Security Management System may be considered as that part of the overall management system, based manly of the system, that provides the structure to enable identification of potential threats to an organization and which establishes, implements, operates, monitors, reviews and maintains all appropriate measures to provide assurance of the effective management of the associated security . KEYWORDS: QUALITY; QUALITY MANAGEMENT SYSTEM (QMS); SECURITY; SECURITY MANAGEMENT SYSTEM (SMS); INTEGRATED MANAGEMENT SYSTEMS FOR BUSINESS SECURITY; SECURITY RISKS.

1. Introduction essential that those with responsibility for security are able to demonstrate competence not only in all aspects of the security Successful companies have found a way to offer something that discipline, but also have an awareness of the contribution security people want, at a price they are willing pay, in a way that will make can make to other aspects of the business, such as Governance, money in the transactions. Highly successful companies offer Strategy, Compliance, Assurance, New Ventures, and other quality products and services in this exchange, and keep quality essential business-related issues. It is the responsibility of the high; so that the customer will return the next time he/she wants to person with overall responsibility for Security to ensure that purchase [1]. training and development needs arc recognized, addressed and records maintained. In this way, security may become an integrated Quality has been defined as “The totality of features and and respected part of the organization; used in business planning, characteristics of a product or service that bear on its ability to execution, and decision making. Expectations of security personnel satisfy stated or implied needs. Not to be mistaken for “degree of are: excellence” or “fitness for use” which meet only part of the definition”. By this definition, security is a component of quality. • Professionalism - living the corporate values; Security is defined by the American Heritage Dictionary in their • Expertise - demonstrating a thorough knowledge of the subject; on-line database as: • Vision - demonstrating an understanding of the wider business a) Freedom from or danger, safety; objectives; b) Freedom from doubt, anxiety or fear; confidence; • Teamwork - working closely with other disciplines to understand their contributions and aspirations; c) Something that gives or assures safety as: • Collaboration - conducting security risk assessments in support of - a group or department of private guards; specific operations, not in isolation; - measures adopted by a government to prevent espionage, • Communication - security considerations to top management in a sabotage or attack; clear, concise manner, demonstrating due consideration to all - measures adopted, as by a business or homeowner, to factors. prevent a crime such as burglar or assault. Component 2 - Policies, Objectives and Tasks These definitions, taken together, can demonstrate that quality There should exist а single security policy which outlines the is the responsibility of the whole organization and security is a part security architecture, strategy and protocols. of the totality of quality of a system, implicit in customers` expectations. Security, as a component of quality, must be The following sections are addressed: addressed throughout an organization, in the definition of strategy, • Security management objectives; the development of policy and the implementation and monitoring of both [2]. • Statement of the attitude of the organization to security; 2. Components of security management system - • Description of the security environment; discussion • Statement of the security risk appetite; Component 1 – Credibility and Integration of the Personnel • Security organization, roles and responsibilities; A prerequisite that corporate security personnel come, for example, • Procedures for security risk assessment; from military, intelligence or law enforcement background, it is • List of security Standing Operating Procedures (SOPs);

37 YEAR I, ISSUE 4, P.P. 37-40 (2016) INTERNATIONAL SCIENTIFIC JOURNAL "SCIENCE. BUSINESS. SOCIETY" WEB ISSN 2534-8485; PRINT ISSN 2367-8380 • Security priorities and calendar for coming year. • How much does it cost? Component 3 - Threat, Vulnerability and Security Risk • What is our back up if something doesn't work or isn't Assessment available? Security risk assessments should take into consideration a wide Component 7 - Execution and Control Activities range of elements beyond threats. Such elements should include: The execution of a plan is predicated on all of the previous components in the management system: • The operating environment and groups/events by which it is characterized; • The plan has identified all the security risks to the operation; • The profile of the organization, the footprint and the social impact; • All control mechanisms are established; • The strategic, long term objectives of the organization; • The plan has been accordingly and appropriately resourced; • Voluntary Principles of Security and Human Rights; • Any bespoke procedures are documented, approved and validated; • Legislation and local expectations; • The plan has been effectively communicated to those with • Capability and intent of local criminal/terrorist elements; responsibility for its execution; • Vulnerability and attractiveness of to criminal/terrorist • Assurance that those with responsibility for carrying out the elements; plan have the correct competencies; • Availability of resources. • All correct back up and reinforcement strategies are established and tested. Component 4 – Controls Component 8 - Monitor and Security Reporting Examples of security controls may include: Monitoring is based, upon effective two-way communication. • Physical protection measures (lights, fences, CCTV, barriers, Where appropriate, traditional methods are often effective and etc.); should be considered: • Introduction of security procedures (ID checking, access • Inspections; control, mail screening, etc.); • Review meetings; • Intelligence networking (local social/political leaders/intelligence providers, etc.); • Auditing; • Electronic security (encryption, password protection, etc.); • Interviews; • Resourcing (security personnel, equipment, etc.); • Workshops. • Local integration (CSR programme, local content, etc.;) Component 9 – Review Component 5 - Security Risk Register The purpose of the review may be any combination of the following: A security risk register should: • To critically debrief the plan in order to determine strengths • Facilitate ownership and management of security risks; weaknesses and areas that could be improved; • Provide an overview of the significant security risks that arc • To obtain feedback from those involved in the execution of faced by an organization; the plan/ project regarding the manageability of the plan; • Record the results of threat/vulnerability security risk • To highlight any competency issues arising from exposure to assessment; new challenges; • Form an agreed record of those security risks that have been • To examine how much contribution the operation/task/project identified; brings to the achievement of the organization's objectives; • Record additional proposed actions to improve the security • Assurance to top management that security is being managed profile; effectively; • Facilitate the prioritization of security risks. • Enables security management to assess whether established Component 6 - Planning and Resourcing protocols are being effective, and to take action accordingly; Effective planning will answer: • Highlight examples of good practice. • What are we going to do? Component 10 – Learning • How are we going to do it? Effective processes for learning lessons will enable an organization to: • When are we going to do it? • Introduce improvements to procedures; • How long do we need to do it for? • Introduce improvements in ; • How are we going to coordinate and communicate? • Update documentation; • What do we do if something goes wrong? • Implement of new training courses; Effective resourcing will answer: • Increase awareness of new threats/update on existing threats; • What do we need to do it? • Introduce new equipment/technology; • How do we get it?

38 YEAR I, ISSUE 4, P.P. 37-40 (2016) INTERNATIONAL SCIENTIFIC JOURNAL "SCIENCE. BUSINESS. SOCIETY" WEB ISSN 2534-8485; PRINT ISSN 2367-8380 • Better integrate to the wider organization; ISO Guide 73:2009 [5] provides the following definitions: • Better understand the organization's objectives; Term Definition • Heightened awareness of the contribution of security; ○ Risk - effect of uncertainty on objectives; • Improved relationship with/understanding of other business ○ Risk analysis - process to comprehend the nature of risk and to functions; determine the level of risk; • Improvements to the management system; ○ Risk appetite - amount and type of risk that an organization is willing to pursue or retain; Component 11 - Reporting to Top Management ○ Risk assessment - overall process of identification, analysis and Providing such feedback to top management: evaluation; • Offers reassurance that security is being effectively managed; ○ Risk evaluation - process of comparing the results of risk analysis • Offers reassurance that security understands its role in the with risk criteria to determine whether the risk and/or its magnitude achievement of the business objectives; is acceptable or tolerable; • Gives confidence in decision-making that all security issues ○ Risk identification - process of finding, recognizing and have been given appropriate consideration; describing security risks; • Reinforces the importance of security considerations in ○ - coordinated activities to direct and control an making decisions; organization with regard to security risk; • Reinforces the role of security in protecting the organization's ○ Risk tolerance - organization's or stakeholder's readiness to bear people, assets and information; the risk after security risk treatment in order to achieve its objectives; • Emphasizes that security operates in support of , and not as a barrier to them. ○ Risk treatment - process to modify risk. 3. Concepts of the security management system – (b) Security Risk Management Process discussions The purpose of security risk management may be described as: 3.1. Security and Quality Management "To identify the threats and security risks to an organization and to manage those security risks within the risk appetite of the A security management system, as with other management systems organization in order to provide reasonable assurance of the is based upon the model defined in ISO 9001:2008, Quality achievement of the organizations objectives" [6]. Management Systems –Requirements [3]. In а security risk-based, process-driven approach to security, the achievement of security (c) Security risk Registers objectives should start with a threat/security risk assessment. There is no prescription for the format of a security risk register, Having identified the security risks and planned mitigation which will vary according to the organization's culture, security risk measures, a security risk register may be established. The mitigation classification systems, the nature of the project, reporting measures detailed in the security risk register are realized through requirements and so on, but the following components are generally and security planning, thus arriving at a considered key: security solution (product), whether that is hard security measures, procedural requirements or a higher level security solution that • Inherent risk: The level of risk before any control activities supports strategic objectives, such as a strategy, have been applied; or establishment of an intelligence gathering network. • Residual risk: The level of risk that currently exists, taking 3.2. Documentation and Management Systems into account controls that have been established; A management system, as defined by ISO 9000:2005 [4] is a • Target risk: The ultimate level of risk that is desired by the 'system to establish policy and objectives and to achieve those organization; objectives'. In order to help in the achievement of those objectives, the system needs to be supported; that support comes in the form of • Controls: Measures implemented to modify risk. approved standards and procedures. An effective management (d) Security risk Treatment system should be such that it does not necessarily need a discipline expert to implement and manage it. A brief mention should be made of Controls. Controls are those measures which effect the security risk treatment. In simple terms, 3.3. Security Management Principles security risk treatment may fall into four categories: (a) Customer focus; • Treat: apply controls internally; (b) Leadership; • Tolerate: accept that risk is already within tolerance levels; no (c) Involvement of people; controls required; (d) Process approach; • Transfer: pass the risk on to a third party; usually an insurer or a contractor; (e) Systems approach to management; • Terminate: decide that even if controls are established, the risk (f) Continual improvement; will remain outside the tolerance of the organization, and so a decision to end the course of action that carries the risk would (g) Factual approach to decision making; usually be made by top management; (h) Mutually beneficial supplier relationships. (e) Analysing Likelihood and Impact 3.4. Security risk Management and Assessment There are a variety of formats; some of the more detailed include (a) Definitions other categories such as:

39 YEAR I, ISSUE 4, P.P. 37-40 (2016) INTERNATIONAL SCIENTIFIC JOURNAL "SCIENCE. BUSINESS. SOCIETY" WEB ISSN 2534-8485; PRINT ISSN 2367-8380 • Time before Impact; Conclusion: • Duration of Impact. Obviously, the four most important characteristics of any It is for the individual organizations to define their own policies on operational management system are: security risk register format and management. - Leadership; 3.5. Security Excellence - Security risk Management, Implementation; The European Foundation for Quality Management has recently - Continuous Improvement. published the latest version of its Excellence Model [7]. The Excellence Model is a non-prescriptive framework for management This is consistent with the fundamentals of security management, systems that has been widely adopted in both the public and private and so these characteristics also form the hub of the Security sector. The Concepts of Excellence [8] and the criteria may be Management System (SMS) wheel. adapted for security as follows: Effective implementation of the SMS will ensure: 3.5.1. Adding Value for the Customer • Confidence - that security has the ability to prepare for Security is often perceived as an unnecessary barrier to progress. and react to events that may otherwise present a threat to the One way to overcome this and to embed security into daily business organization's people, information and/or assets; is by understanding, anticipating and fulfilling their needs, • Optimization - that the most efficient use of resources is expectations and opportunities. made at optimum cost; 3.5.2. Creating a Sustainable Future In contributing to the organizations overall Confidence levels and In the exploration phase particularly, winning over 'hearts and Optimization of resources, a SMS will: minds' is often the key to security. An unhappy community in some • Improve the resilience of the organization; parts of the world can create significant security risks. Security input to the Corporate Social Responsibility (CSR) programme is • Enhance the organization's credibility; therefore invaluable in advancing the social conditions within • Introduce a core language and core processes for security affected communities. risk management; 3.5.3. Developing Organizational Capability • Enable an organization to be nimble and flexible in its Managing or creating the ability to change the capability of the response to security challenges; security organization will enable it to respond/adapt to the different • Continually improve the capacity of an organization to demands made upon it, whether it be deployment of a guard force manage security challenges. with limited notice, provision of executive protection, or carrying out security compliance exercises. The security organization must Literature: strive to be multi-facetted. 1. OGP, Operating Management System Framework for 3.5.4. Harnessing Creativity and Innovation controlling risk and delivering high performance in the oil and gas Often, effective security solutions come from creative thinking. industry; There is no textbook solution to security challenges and so security 2. OGP, Processes and concepts in security management; managers must be open to all ideas at all levels, no matter radical they may seem. 3. ISO 9001:2008 - Quality Management Systems - Requirements Summary; 3.5.5. Leading with Vision, Inspiration and Integrity 4. ISO 9000:2005 - Quality Management Systems - Upholding the organization's values is as relevant to the security Fundamentals and Vocabulary; function as it is to every other function. Security is not exempt from the need to inspire through upholding moral values. Upholding the 5. ISO Guide 73009 - Risk management -- Vocabulary Voluntary Principles of Security and Human Rights (VPSHR) is 6. ISO 31000:2009 - Risk Management - Principles and one area where security has the opportunity to show inspired Guidelines; leadership. 7. EQFM Excellence Model, EFQM Publications, 2012; 3.5.6. Managing with Agility 8. Fundamental Concepts of Excellence, EFQM Publications, Being 'agile' in security means having the ability to effectively and 2012; efficiently recognize and respond to threats and opportunities. The notion of a Quick Reaction Force, for example follows this concept. 3.5.7. Succeeding through the Talent of People Teamwork is key in all disciplines, but arguably more so in security; the ability to stand in for each other seamlessly, be it stepping up or stepping down, and achieving coordination in operations through an understanding of each other’s' roles ensures and develops talent and progression.

3.5.8. Sustaining Outstanding Results

In security terms, this translates as providing a 'best in class' support in all areas, and planning now to do the same in the future. Resource and strategy planning for new country entry well in advance is an example where security could sustain an outstanding performance.

40 YEAR I, ISSUE 4, P.P. 37-40 (2016)